It looks like Lockheed Martin is the latest victim in what seems to be an endless string of security breaches. This time however, it does not look like a lack of security measures led to the breach. In fact, it seems that Lockheed’s implementation of a widely-trusted security tool was the attack vector this time around.
Last month we reported on the apparent compromise of RSA’s SecurID product, and while many speculated that this intrusion could lead to subsequent attacks, the firm downplayed the breach. They stated that the stolen data was unlikely to affect their customers, but as usual, the problem appears to be far larger than originally estimated.
The breadth of the intrusion is currently unknown, and with both RSA and Lockheed officials keeping mum, it may be some time before anyone knows how serious it is. When military secrets are in question however, you know it can’t be good!
SecurID is a two-factor hardware-based authentication system. It requires you to enter the number displayed on a hardware fob like the one seen above, along with the rest of your login information. It’s regarded to be a very secure method of protecting information when users are logging into a company’s secure system remotely. But as with everything else, there’s always a way to break the security. It sounds like last month someone hacked into the servers of the company that makes SecurID.
You’ll need to read between the lines of that letter from RSA (the security division of EMC) Executive Chairman [Art Coviello]. He admits that someone was poking around in their system and that they got their hands on information that relates to the SecurID system. He goes on to say that the information that the attackers grabbed doesn’t facilitate direct attacks on RSA’s customers.
We’d guess that the attackers may have what they need to brute-force a SecurID system, although perhaps they have now way to match which system belongs to which customer. What’s you’re take on the matter? Lets us know by leaving a comment.
[Rodney Thayer] gave a 2 hour seminar on cryptographic technology. It was designed to give the audience a working knowledge for dealing with vendors. He gave some rules of thumb for choosing encryption. In order of preference, when doing symmetric key crypto: use AES with a minimum 128bit key, if not that 3-key Triple-DES, or last RC4 with 128bit key. For hashing: SHA 256 preferred, SHA 1 if you can’t do any better, and MD5 if you can’t SHA. For public key: RSA using at least a 2048bit key. The top choices in these lists were picked because they’ve stood up to years of scrutiny. One major theme of talk was to never roll your own crypto algorithm or buy someone elses. Proprietary algorithms get broken all the time, like the GSM A5 crypto we talked about earlier this year.